diff options
Diffstat (limited to 'extra/yassl/src')
| -rw-r--r-- | extra/yassl/src/cert_wrapper.cpp | 40 | ||||
| -rw-r--r-- | extra/yassl/src/crypto_wrapper.cpp | 7 | ||||
| -rw-r--r-- | extra/yassl/src/socket_wrapper.cpp | 4 | ||||
| -rw-r--r-- | extra/yassl/src/ssl.cpp | 31 | ||||
| -rw-r--r-- | extra/yassl/src/yassl_error.cpp | 11 | ||||
| -rw-r--r-- | extra/yassl/src/yassl_imp.cpp | 179 | ||||
| -rw-r--r-- | extra/yassl/src/yassl_int.cpp | 101 |
7 files changed, 259 insertions, 114 deletions
diff --git a/extra/yassl/src/cert_wrapper.cpp b/extra/yassl/src/cert_wrapper.cpp index 12da19962ef..d8660533f2e 100644 --- a/extra/yassl/src/cert_wrapper.cpp +++ b/extra/yassl/src/cert_wrapper.cpp @@ -1,5 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. + Copyright (c) 2005-2007 MySQL AB, 2008, 2009 Sun Microsystems, Inc. Use is subject to license terms. This program is free software; you can redistribute it and/or modify @@ -25,6 +25,7 @@ #include "runtime.hpp" #include "cert_wrapper.hpp" #include "yassl_int.hpp" +#include "error.hpp" #if defined(USE_CML_LIB) #include "cmapi_cpp.h" @@ -91,7 +92,7 @@ opaque* x509::use_buffer() //CertManager CertManager::CertManager() : peerX509_(0), verifyPeer_(false), verifyNone_(false), failNoCert_(false), - sendVerify_(false) + sendVerify_(false), verifyCallback_(0) {} @@ -155,6 +156,12 @@ void CertManager::setSendVerify() } +void CertManager::setVerifyCallback(VerifyCallback vc) +{ + verifyCallback_ = vc; +} + + void CertManager::AddPeerCert(x509* x) { peerList_.push_back(x); // take ownership @@ -237,7 +244,7 @@ uint CertManager::get_privateKeyLength() const int CertManager::Validate() { CertList::reverse_iterator last = peerList_.rbegin(); - size_t count= peerList_.size(); + size_t count = peerList_.size(); while ( count > 1 ) { TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length()); @@ -258,7 +265,8 @@ int CertManager::Validate() TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length()); TaoCrypt::CertDecoder cert(source, true, &signers_, verifyNone_); - if (int err = cert.GetError().What()) + int err = cert.GetError().What(); + if ( err ) return err; uint sz = cert.GetPublicKey().size(); @@ -270,13 +278,25 @@ int CertManager::Validate() else peerKeyType_ = dsa_sa_algo; - size_t iSz= strlen(cert.GetIssuer()) + 1; - size_t sSz= strlen(cert.GetCommonName()) + 1; - size_t bSz= strlen(cert.GetBeforeDate()) + 1; - size_t aSz= strlen(cert.GetAfterDate()) + 1; + size_t iSz = strlen(cert.GetIssuer()) + 1; + size_t sSz = strlen(cert.GetCommonName()) + 1; + int bSz = (int)strlen(cert.GetBeforeDate()) + 1; + int aSz = (int)strlen(cert.GetAfterDate()) + 1; peerX509_ = NEW_YS X509(cert.GetIssuer(), iSz, cert.GetCommonName(), - sSz, cert.GetBeforeDate(), (int) bSz, - cert.GetAfterDate(), (int) aSz); + sSz, cert.GetBeforeDate(), bSz, + cert.GetAfterDate(), aSz); + + if (err == TaoCrypt::SIG_OTHER_E && verifyCallback_) { + X509_STORE_CTX store; + store.error = err; + store.error_depth = static_cast<int>(count) - 1; + store.current_cert = peerX509_; + + int ok = verifyCallback_(0, &store); + if (ok) return 0; + } + + if (err == TaoCrypt::SIG_OTHER_E) return err; } return 0; } diff --git a/extra/yassl/src/crypto_wrapper.cpp b/extra/yassl/src/crypto_wrapper.cpp index 28d7f1b5693..e6168d4d69c 100644 --- a/extra/yassl/src/crypto_wrapper.cpp +++ b/extra/yassl/src/crypto_wrapper.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -953,8 +953,9 @@ x509* PemToDer(FILE* file, CertType type, EncryptedInfo* info) info->set = true; } } - fgets(line,sizeof(line), file); // get blank line - begin = ftell(file); + // get blank line + if (fgets(line, sizeof(line), file)) + begin = ftell(file); } } diff --git a/extra/yassl/src/socket_wrapper.cpp b/extra/yassl/src/socket_wrapper.cpp index eee5d47377f..3cf6c14c4b3 100644 --- a/extra/yassl/src/socket_wrapper.cpp +++ b/extra/yassl/src/socket_wrapper.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -37,7 +37,7 @@ #include <fcntl.h> #endif // _WIN32 -#if defined(__sun) || defined(__SCO_VERSION__) || defined(__NETWARE__) +#if defined(__sun) || defined(__SCO_VERSION__) #include <sys/filio.h> #endif diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp index b5fe774fa1a..67d2d428e51 100644 --- a/extra/yassl/src/ssl.cpp +++ b/extra/yassl/src/ssl.cpp @@ -1,5 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. + Copyright (c) 2005-2007 MySQL AB, 2008-2010 Sun Microsystems, Inc. Use is subject to license terms. This program is free software; you can redistribute it and/or modify @@ -246,6 +246,7 @@ YASSL_SOCKET_T SSL_get_fd(const SSL* ssl) } +// if you get an error from connect see note at top of README int SSL_connect(SSL* ssl) { if (ssl->GetError() == YasslError(SSL_ERROR_WANT_READ)) @@ -448,6 +449,9 @@ long SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long mode) if (mode == SSL_SESS_CACHE_OFF) ctx->SetSessionCacheOff(); + if (mode == SSL_SESS_CACHE_NO_AUTO_CLEAR) + ctx->SetSessionCacheFlushOff(); + return SSL_SUCCESS; } @@ -494,6 +498,15 @@ long SSL_get_default_timeout(SSL* /*ssl*/) } +void SSL_flush_sessions(SSL_CTX *ctx, long /* tm */) +{ + if (ctx->GetSessionCacheOff()) + return; + + GetSessions().Flush(); +} + + const char* SSL_get_cipher_name(SSL* ssl) { return SSL_get_cipher(ssl); @@ -561,7 +574,7 @@ int SSL_get_error(SSL* ssl, int /*previous*/) only need to turn on for client, becuase server on by default if built in but calling for server will tell you whether it's available or not */ -int SSL_set_compression(SSL* ssl) +int SSL_set_compression(SSL* ssl) /* Chad didn't rename to ya~ because it is prob. bug. */ { return ssl->SetCompression(); } @@ -605,13 +618,13 @@ char* X509_NAME_oneline(X509_NAME* name, char* buffer, int sz) { if (!name->GetName()) return buffer; - size_t len= strlen(name->GetName()) + 1; - int copySz = min((int) len, sz); + int len = (int)strlen(name->GetName()) + 1; + int copySz = min(len, sz); if (!buffer) { buffer = (char*)malloc(len); if (!buffer) return buffer; - copySz = (int) len; + copySz = len; } if (copySz == 0) @@ -694,7 +707,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX* ctx, const char* file, int format) } -void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback /*vc*/) +void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback vc) { if (mode & SSL_VERIFY_PEER) ctx->setVerifyPeer(); @@ -704,6 +717,8 @@ void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback /*vc*/) if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) ctx->setFailNoCert(); + + ctx->setVerifyCallback(vc); } @@ -977,7 +992,7 @@ char* ERR_error_string(unsigned long errNumber, char* buffer) static char* msg = (char*)"Please supply a buffer for error string"; if (buffer) { - SetErrorString(YasslError(errNumber), buffer); + SetErrorString(errNumber, buffer); return buffer; } @@ -1451,6 +1466,8 @@ unsigned long err_helper(bool peek = false) default : return 0; } + + return 0; // shut up compiler } diff --git a/extra/yassl/src/yassl_error.cpp b/extra/yassl/src/yassl_error.cpp index dc120028e13..e167075b984 100644 --- a/extra/yassl/src/yassl_error.cpp +++ b/extra/yassl/src/yassl_error.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +26,11 @@ #include "openssl/ssl.h" // SSL_ERROR_WANT_READ #include <string.h> // strncpy +#ifdef _MSC_VER + // 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy + #pragma warning(disable: 4996) +#endif + namespace yaSSL { @@ -50,7 +55,7 @@ Library Error::get_lib() const */ -void SetErrorString(YasslError error, char* buffer) +void SetErrorString(unsigned long error, char* buffer) { using namespace TaoCrypt; const int max = MAX_ERROR_SZ; // shorthand @@ -123,7 +128,7 @@ void SetErrorString(YasslError error, char* buffer) break; case badVersion_error : - strncpy(buffer, "protocl version mismatch", max); + strncpy(buffer, "protocol version mismatch", max); break; case compress_error : diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp index 2030163d35a..d981605d35a 100644 --- a/extra/yassl/src/yassl_imp.cpp +++ b/extra/yassl/src/yassl_imp.cpp @@ -1,6 +1,5 @@ /* - Copyright (c) 2005-2008 MySQL AB, 2009 Sun Microsystems, Inc. - Use is subject to license terms. + Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -137,9 +136,19 @@ void DH_Server::build(SSL& ssl) const CertManager& cert = ssl.getCrypto().get_certManager(); if (ssl.getSecurity().get_parms().sig_algo_ == rsa_sa_algo) + { + if (cert.get_keyType() != rsa_sa_algo) { + ssl.SetError(privateKey_error); + return; + } auth.reset(NEW_YS RSA(cert.get_privateKey(), cert.get_privateKeyLength(), false)); + } else { + if (cert.get_keyType() != dsa_sa_algo) { + ssl.SetError(privateKey_error); + return; + } auth.reset(NEW_YS DSS(cert.get_privateKey(), cert.get_privateKeyLength(), false)); sigSz += DSS_ENCODED_EXTRA; @@ -437,18 +446,21 @@ Parameters::Parameters(ConnectionEnd ce, const Ciphers& ciphers, pending_ = true; // suite not set yet strncpy(cipher_name_, "NONE", 5); + removeDH_ = !haveDH; // only use on server side for set suites + if (ciphers.setSuites_) { // use user set list suites_size_ = ciphers.suiteSz_; memcpy(suites_, ciphers.suites_, ciphers.suiteSz_); SetCipherNames(); } else - SetSuites(pv, ce == server_end && !haveDH); // defaults + SetSuites(pv, ce == server_end && removeDH_); // defaults } -void Parameters::SetSuites(ProtocolVersion pv, bool removeDH) +void Parameters::SetSuites(ProtocolVersion pv, bool removeDH, bool removeRSA, + bool removeDSA) { int i = 0; // available suites, best first @@ -457,67 +469,87 @@ void Parameters::SetSuites(ProtocolVersion pv, bool removeDH) if (isTLS(pv)) { if (!removeDH) { - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_SHA; + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_SHA; + } + } + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_256_CBC_SHA; } - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_256_CBC_SHA; - if (!removeDH) { - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_SHA; + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_SHA; + } + } + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_128_CBC_SHA; + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_256_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_128_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_3DES_EDE_CBC_RMD160; } - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_128_CBC_SHA; - - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_256_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_128_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_3DES_EDE_CBC_RMD160; - if (!removeDH) { + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD160; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD160; + } + } + } + + if (!removeRSA) { suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_RMD160; + suites_[i++] = SSL_RSA_WITH_RC4_128_SHA; suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD160; + suites_[i++] = SSL_RSA_WITH_RC4_128_MD5; suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_RMD160; + suites_[i++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA; suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD160; - } + suites_[i++] = SSL_RSA_WITH_DES_CBC_SHA; } - - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_RC4_128_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_RC4_128_MD5; - - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_DES_CBC_SHA; - if (!removeDH) { - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA; - - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_RSA_WITH_DES_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_DSS_WITH_DES_CBC_SHA; + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA; + } + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_RSA_WITH_DES_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_DSS_WITH_DES_CBC_SHA; + } } suites_size_ = i; @@ -852,21 +884,19 @@ void Alert::Process(input_buffer& input, SSL& ssl) else hmac(ssl, verify, data, aSz, alert, true); - // read mac and fill + // read mac and skip fill int digestSz = ssl.getCrypto().get_digest().get_digestSize(); opaque mac[SHA_LEN]; input.read(mac, digestSz); if (ssl.getSecurity().get_parms().cipher_type_ == block) { int ivExtra = 0; - opaque fill; if (ssl.isTLSv1_1()) ivExtra = ssl.getCrypto().get_cipher().get_blockSize(); int padSz = ssl.getSecurity().get_parms().encrypt_size_ - ivExtra - aSz - digestSz; - for (int i = 0; i < padSz; i++) - fill = input[AUTO]; + input.set_current(input.get_current() + padSz); } // verify @@ -949,17 +979,17 @@ output_buffer& operator<<(output_buffer& output, const Data& data) void Data::Process(input_buffer& input, SSL& ssl) { int msgSz = ssl.getSecurity().get_parms().encrypt_size_; - int pad = 0, padByte = 0; + int pad = 0, padSz = 0; int ivExtra = 0; if (ssl.getSecurity().get_parms().cipher_type_ == block) { if (ssl.isTLSv1_1()) // IV ivExtra = ssl.getCrypto().get_cipher().get_blockSize(); pad = *(input.get_buffer() + input.get_current() + msgSz -ivExtra - 1); - padByte = 1; + padSz = 1; } int digestSz = ssl.getCrypto().get_digest().get_digestSize(); - int dataSz = msgSz - ivExtra - digestSz - pad - padByte; + int dataSz = msgSz - ivExtra - digestSz - pad - padSz; opaque verify[SHA_LEN]; const byte* rawData = input.get_buffer() + input.get_current(); @@ -988,14 +1018,10 @@ void Data::Process(input_buffer& input, SSL& ssl) hmac(ssl, verify, rawData, dataSz, application_data, true); } - // read mac and fill + // read mac and skip fill opaque mac[SHA_LEN]; - opaque fill; input.read(mac, digestSz); - for (int i = 0; i < pad; i++) - fill = input[AUTO]; - if (padByte) - fill = input[AUTO]; + input.set_current(input.get_current() + pad + padSz); // verify if (dataSz) { @@ -1472,7 +1498,19 @@ void ClientHello::Process(input_buffer&, SSL& ssl) // downgrade to SSLv3 ssl.useSecurity().use_connection().TurnOffTLS(); ProtocolVersion pv = ssl.getSecurity().get_connection().version_; - ssl.useSecurity().use_parms().SetSuites(pv); // reset w/ SSL suites + bool removeDH = ssl.getSecurity().get_parms().removeDH_; + bool removeRSA = false; + bool removeDSA = false; + + const CertManager& cm = ssl.getCrypto().get_certManager(); + if (cm.get_keyType() == rsa_sa_algo) + removeDSA = true; + else + removeRSA = true; + + // reset w/ SSL suites + ssl.useSecurity().use_parms().SetSuites(pv, removeDH, removeRSA, + removeDSA); } else if (ssl.isTLSv1_1() && client_version_.minor_ == 1) // downgrade to TLSv1, but use same suites @@ -1518,6 +1556,7 @@ void ClientHello::Process(input_buffer&, SSL& ssl) return; } ssl.matchSuite(cipher_suites_, suite_len_); + if (ssl.GetError()) return; ssl.set_pending(ssl.getSecurity().get_parms().suite_[1]); if (compression_methods_ == zlib) @@ -2028,11 +2067,9 @@ void Finished::Process(input_buffer& input, SSL& ssl) if (ssl.isTLSv1_1()) ivExtra = ssl.getCrypto().get_cipher().get_blockSize(); - opaque fill; int padSz = ssl.getSecurity().get_parms().encrypt_size_ - ivExtra - HANDSHAKE_HEADER - finishedSz - digestSz; - for (int i = 0; i < padSz; i++) - fill = input[AUTO]; + input.set_current(input.get_current() + padSz); // verify mac if (memcmp(mac, verifyMAC, digestSz)) { diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp index 18acf752e98..66a854e6922 100644 --- a/extra/yassl/src/yassl_int.cpp +++ b/extra/yassl/src/yassl_int.cpp @@ -1,6 +1,5 @@ /* - Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. - Use is subject to license terms. + Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -41,28 +40,28 @@ void* operator new(size_t sz, yaSSL::new_t) { - void* ptr = malloc(sz ? sz : 1); - if (!ptr) abort(); + void* ptr = malloc(sz ? sz : 1); + if (!ptr) abort(); - return ptr; + return ptr; } void operator delete(void* ptr, yaSSL::new_t) { - if (ptr) free(ptr); + if (ptr) free(ptr); } void* operator new[](size_t sz, yaSSL::new_t nt) { - return ::operator new(sz, nt); + return ::operator new(sz, nt); } void operator delete[](void* ptr, yaSSL::new_t nt) { - ::operator delete(ptr, nt); + ::operator delete(ptr, nt); } namespace yaSSL { @@ -309,6 +308,20 @@ SSL::SSL(SSL_CTX* ctx) SetError(YasslError(err)); return; } + else if (serverSide && !(ctx->GetCiphers().setSuites_)) { + // remove RSA or DSA suites depending on cert key type + ProtocolVersion pv = secure_.get_connection().version_; + + bool removeDH = secure_.use_parms().removeDH_; + bool removeRSA = false; + bool removeDSA = false; + + if (cm.get_keyType() == rsa_sa_algo) + removeDSA = true; + else + removeRSA = true; + secure_.use_parms().SetSuites(pv, removeDH, removeRSA, removeDSA); + } } else if (serverSide) { SetError(no_key_file); @@ -321,6 +334,7 @@ SSL::SSL(SSL_CTX* ctx) cm.setVerifyNone(); if (ctx->getMethod()->failNoCert()) cm.setFailNoCert(); + cm.setVerifyCallback(ctx->getVerifyCallback()); if (serverSide) crypto_.SetDH(ctx->GetDH_Parms()); @@ -1040,7 +1054,7 @@ void SSL::fillData(Data& data) data.set_length(0); // output, actual data filled dataSz = min(dataSz, bufferedData()); - for (uint i = 0; i < elements; i++) { + for (size_t i = 0; i < elements; i++) { input_buffer* front = buffers_.getData().front(); uint frontSz = front->get_remaining(); uint readSz = min(dataSz - data.get_length(), frontSz); @@ -1064,7 +1078,7 @@ void SSL::fillData(Data& data) void SSL::PeekData(Data& data) { if (GetError()) return; - uint dataSz = data.get_length(); // input, data size to fill + uint dataSz = data.get_length(); // input, data size to fill size_t elements = buffers_.getData().size(); data.set_length(0); // output, actual data filled @@ -1101,7 +1115,7 @@ void SSL::flushBuffer() output_buffer out(sz); size_t elements = buffers_.getHandShake().size(); - for (uint i = 0; i < elements; i++) { + for (size_t i = 0; i < elements; i++) { output_buffer* front = buffers_.getHandShake().front(); out.write(front->get_buffer(), front->get_size()); @@ -1277,6 +1291,7 @@ void SSL::matchSuite(const opaque* peer, uint length) if (secure_.use_parms().suites_[i] == peer[j]) { secure_.use_parms().suite_[0] = 0x00; secure_.use_parms().suite_[1] = peer[j]; + return; } @@ -1285,7 +1300,7 @@ void SSL::matchSuite(const opaque* peer, uint length) void SSL::set_session(SSL_SESSION* s) -{ +{ if (getSecurity().GetContext()->GetSessionCacheOff()) return; @@ -1566,13 +1581,19 @@ Errors& GetErrors() typedef Mutex::Lock Lock; + void Sessions::add(const SSL& ssl) { if (ssl.getSecurity().get_connection().sessionID_Set_) { - Lock guard(mutex_); - list_.push_back(NEW_YS SSL_SESSION(ssl, random_)); + Lock guard(mutex_); + list_.push_back(NEW_YS SSL_SESSION(ssl, random_)); + count_++; } + + if (count_ > SESSION_FLUSH_COUNT) + if (!ssl.getSecurity().GetContext()->GetSessionCacheFlushOff()) + Flush(); } @@ -1661,6 +1682,25 @@ void Sessions::remove(const opaque* id) } +// flush expired sessions from cache +void Sessions::Flush() +{ + Lock guard(mutex_); + sess_iterator next = list_.begin(); + uint current = lowResTimer(); + + while (next != list_.end()) { + sess_iterator si = next; + ++next; + if ( ((*si)->GetBornOn() + (*si)->GetTimeOut()) < current) { + del_ptr_zero()(*si); + list_.erase(si); + } + } + count_ = 0; // reset flush counter +} + + // remove a self thread error void Errors::Remove() { @@ -1765,7 +1805,8 @@ bool SSL_METHOD::multipleProtocol() const SSL_CTX::SSL_CTX(SSL_METHOD* meth) : method_(meth), certificate_(0), privateKey_(0), passwordCb_(0), - userData_(0), sessionCacheOff_(false) + userData_(0), sessionCacheOff_(false), sessionCacheFlushOff_(false), + verifyCallback_(0) {} @@ -1792,6 +1833,12 @@ SSL_CTX::GetCA_List() const } +VerifyCallback SSL_CTX::getVerifyCallback() const +{ + return verifyCallback_; +} + + const x509* SSL_CTX::getCert() const { return certificate_; @@ -1852,6 +1899,12 @@ bool SSL_CTX::GetSessionCacheOff() const } +bool SSL_CTX::GetSessionCacheFlushOff() const +{ + return sessionCacheFlushOff_; +} + + void SSL_CTX::SetUserData(void* data) { userData_ = data; @@ -1864,6 +1917,12 @@ void SSL_CTX::SetSessionCacheOff() } +void SSL_CTX::SetSessionCacheFlushOff() +{ + sessionCacheFlushOff_ = true; +} + + void SSL_CTX::setVerifyPeer() { method_->setVerifyPeer(); @@ -1882,6 +1941,12 @@ void SSL_CTX::setFailNoCert() } +void SSL_CTX::setVerifyCallback(VerifyCallback vc) +{ + verifyCallback_ = vc; +} + + bool SSL_CTX::SetDH(const DH& dh) { dhParms_.p_ = dh.p->int_; @@ -2317,7 +2382,7 @@ X509::X509(const char* i, size_t iSz, const char* s, size_t sSz, : issuer_(i, iSz), subject_(s, sSz), beforeDate_(b, bSz), afterDate_(a, aSz) {} - + X509_NAME* X509::GetIssuer() { @@ -2355,10 +2420,10 @@ ASN1_STRING* X509_NAME::GetEntry(int i) memcpy(entry_.data, &name_[i], sz_ - i); if (entry_.data[sz_ -i - 1]) { entry_.data[sz_ - i] = 0; - entry_.length = (int) (sz_ - i); + entry_.length = int(sz_) - i; } else - entry_.length = (int) (sz_ - i - 1); + entry_.length = int(sz_) - i - 1; entry_.type = 0; return &entry_; |